set fallback := true

export EXTERNAL_SECRETS_NAMESPACE := env("EXTERNAL_SECRETS_NAMESPACE", "external-secrets")
export EXTERNAL_SECRETS_CHART_VERSION := env("EXTERNAL_SECRETS_CHART_VERSION", "1.1.0")
export EXTERNAL_SECRETS_REFRESH_INTERVAL := env("EXTERNAL_SECRETS_REFRESH_INTERVAL", "1800")
export K8S_VAULT_NAMESPACE := env("K8S_VAULT_NAMESPACE", "vault")
export VAULT_HOST := env("VAULT_HOST", "")
export VAULT_ADDR := "https://" + VAULT_HOST

[private]
default:
    @just --list --unsorted --list-submodules

# Add Helm repository
add-helm-repo:
    helm repo add external-secrets https://charts.external-secrets.io
    helm repo update

# Remove Helm repository
remove-helm-repo:
    helm repo remove external-secrets

# Install External Secrets
install:
    just add-helm-repo
    helm upgrade --cleanup-on-fail \
        --install external-secrets external-secrets/external-secrets \
        --version ${EXTERNAL_SECRETS_CHART_VERSION} -n ${EXTERNAL_SECRETS_NAMESPACE} \
        --create-namespace --wait \
        -f external-secrets-values.yaml

    kubectl label namespace ${EXTERNAL_SECRETS_NAMESPACE} \
        pod-security.kubernetes.io/enforce=restricted --overwrite

    just create-external-secrets-role
    just create-vault-secret-store

# Uninstall External Secrets
uninstall:
    just delete-vault-secret-store
    helm uninstall external-secrets -n ${EXTERNAL_SECRETS_NAMESPACE} --wait
    kubectl delete namespace ${EXTERNAL_SECRETS_NAMESPACE} --ignore-not-found

# Create Vault Secret Store for External Secrets
create-vault-secret-store:
    gomplate -f ./vault-secret-store.gomplate.yaml | kubectl apply -f -

# Delete Vault Secret Store for External Secrets
delete-vault-secret-store:
    gomplate -f ./vault-secret-store.gomplate.yaml | kubectl delete --ignore-not-found -f -

# Create Vault role for External Secrets
create-external-secrets-role root_token='':
    #!/bin/bash
    set -euo pipefail
    export VAULT_TOKEN="{{ root_token }}"
    while [ -z "${VAULT_TOKEN}" ]; do
        VAULT_TOKEN=$(gum input --prompt="Vault root token: " --password --width=100)
    done
    vault write auth/kubernetes/role/external-secrets \
        bound_service_account_names=external-secrets \
        bound_service_account_namespaces=${EXTERNAL_SECRETS_NAMESPACE} \
        audience=vault \
        policies=admin \
        ttl=1h
